Bug 65692 (CVE-2005-0247)

Summary: VUL-0: CVE-2005-0247: new postgresql problems
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: max, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2005-0247: CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) CVSSv2:NVD:CVE-2005-0227:4.3:(AV:L/AC:L/Au:S/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2005-02-10 21:37:27 UTC 
These were not yet fixed by the previous update: 
 
  
A flaw in the LOAD command in PostgreSQL was discovered.  
CAN-2005-0227  
  
A local user could bypass the EXECUTE permission check for functions by  
using the CREATE AGGREGATE command. CAN-2005-0244  
  
Multiple buffer overflows were found in PL/PgSQL. CAN-2005-0245,  
CAN-2005-0247  
  
A flaw in contrib/intagg CAN-2005-0246
Comment 1 Marcus Meissner 2005-02-10 21:37:27 UTC 
<!-- SBZ_reproduce  -->
n/a
Comment 2 Reinhard Max 2005-03-03 15:09:53 UTC 
CAN-2005-0227 has been fixed with the latest round of PostgreSQL patches already.
Comment 3 Marcus Meissner 2005-03-14 15:58:57 UTC 
any update?
Comment 4 Reinhard Max 2005-03-14 17:11:33 UTC 
CAN-2005-0244, CAN-2005-0245, and CAN-2005-0246 have also already been fixed
with the latest round of patch releases.

The only exception is CAN-2005-0244, for which no fix shows up in PostgreSQL
7.2.7 (SLES8). I'll ask the PostgreSQL folks whether that version wasn't
vulnerable or the fix was forgotten in the last patch release.

So the only remaining issue we have to fix for all our products is CAN-2005-0247.
Comment 5 Reinhard Max 2005-04-06 15:16:56 UTC 
CAN-2005-0244 was not relevant for 7.2.7.
Fixes to CAN-2005-0247 for sles8, 9.0, sles9 and 9.2 have just been submitted.
Sorry for the delay.
Comment 6 Ludwig Nussel 2005-04-07 14:34:00 UTC 
what about 8.2?
Comment 7 Ludwig Nussel 2005-04-07 15:06:49 UTC 
SM-Tracker-851 
 
Is any subpackage besides postgresql-server affected at all?
Comment 8 Reinhard Max 2005-04-07 17:08:42 UTC 
Oops, I forgot to submit 8.2. Will do it tomorrow.

Only postgresql-server is affected by this patch, but of course the other
subpackages from the recent version-update need to stay on the server.
Comment 9 Ludwig Nussel 2005-04-08 09:35:07 UTC 
What about not automatically restarting the server in %post so we can remove 
the annoying popup?
Comment 10 Ludwig Nussel 2005-04-08 09:38:10 UTC 
*grmbl* it's always postun of the old package so that's not possible.
Comment 11 Reinhard Max 2005-04-08 09:41:13 UTC 
This is already being done, at least in the more recent versions, but it only
works when the running server doesn't have any client connections. The other way
would be to restart the server in a way so that it kills all current client
connections, but I don't want to do that.

That's why we have and need this popup.
Comment 12 Ludwig Nussel 2005-04-08 09:55:13 UTC 
patchinfos submitted, I've included more info about CAN numbers.
Comment 13 Marcus Meissner 2005-04-19 16:11:02 UTC 
updates approved. needs advisory i think
Comment 14 Ludwig Nussel 2005-04-20 10:37:31 UTC 
advisory released
Comment 15 Thomas Biege 2009-10-13 21:04:53 UTC 
CVE-2005-0247: CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)